88. The Bearer of Bad News
Coming up this week on Breaking Badness. Today we discuss: Japanese Multinational Conglomerate Suffers Exposure, The DOJ Has Phish to Fry, and our fun new game, two truths and a lie.
Here are a few highlights from each article we discussed:
- All I’m going to say is I’m sure this never would have happened if they didn’t discontinue Provia and 3000B instant film. Ransomware probably would have never existed even if 3000B was still around. People would still be busy taking fantastic instant black and whites.
- Fuji is into so many different businesses now, but much like Eastman Kodak was in the US, they were the film monopoly in Japan for decades. Unlike Eastman Kodak they diversified intelligently and are still functional today. They do lots of imaging products, including digital camera lines and their legacy film business, but also are in biotech and other businesses related to digital imaging, chemical processing, and all the expertise that comes with that. Quite a huge holding company these days.
- They dropped that they had been investigating a ransomware incident and had shut down a lot of their network following that. The incident was a discovery of a trojan on the network which like many of the trojans out there is a precursor to a ransomware attack these days. These botnet authors hand off initial access to the ransomware affiliates for a cut of the money earned.
- Fuji didn’t go into details on the impact, but looked like it was just an external server based on the reporting we first saw with heavy potential for a ransomware attack following—according to the initial report of course. Now it has come out that it was a network in Japan that indeed did lead to ransomware.
- Qbot is the confirmed cultpril here as the initial trojan. Good old Qbot.
- Qbot is one of those trojans—or rather the operator behind it—is one of those operators that lends their botnet to ransomware groups. In the current instance Qbot is working with REvil, but they’ve worked with big names like Egregor in the past who came from the Maze group if you remember from our earlier episodes. Also of note is that Qbot is over a decade old now this year. That’s a long time running.
- I think we’re going to see some developments in the OS security space that makes ransomware less of a problem. It’s just a matter of time. But as of right now we might as well have a ransomware roundup each week. We can’t not talk about it because they are the big security stories of the week, but we’re also so tired of ransomware dominating the news. I don’t think it’s something some government policy or politicking can fix, but we are seeing some progress. It was a little late to be picked up for this week’s podcast, but news just dropped about a Latvian international being picked up for being an operator of the TrickBot botnet, another notorious botnet that often leads to Ryuk infections. It’s really interesting to watch that space, see what happens there in light of all this trouble, and how the ransomware gangs will respond depending on the prosecution there.
- Please do not visit theyardservice[.]com or worldhomeoutlet[.]com. Of course, if you did visit them, no harm would befall you now, since they’ve been seized. I guess I should say, if you observed any traffic to those domains prior to May 28, you have some IR work to do. These domains were involved with malware and other tooling such as Cobalt Strike: theyardservice one seems to have been for the initial infection after the victim was spear phished, and then certain subdomains of theyardservice as well as that worldhomeoutlet domain were download servers for Cobalt Strike.
- The domains had been observed as part of this recent spear phishing campaign, with the lure being a “special alert” message from USAID, the US Agency for International Development. A legit USAID account at an email marketing company was what enabled the spear phish, and the email had a link to one of these domains. It was pretty easy to follow the trail from there.
- They are attributing this campaign to a group Microsoft calls Nobelium. And we’re sort of burying the lede here, but you may have heard about spear phishing campaigns from the nice people who brought you the SolarWinds incursion. That’s Nobelium. They are the same group referred to as Solorigate when the SolarWinds news first broke.
- Once Microsoft estimated that the actors behind SolarWinds were state-sponsored, which to be honest didn’t really take that long to determine, they went with their pattern of identifying the group by an element name. BTW, we’re going to need the folks at CERN to spend some time with that collider. They have to create some new elements, because we’re going to run out of periodic table squares at some point and we’ll need new elements for Microsoft to use. Anyway, as you might expect from a state-sponsored actor, the targeting by Nobelium appears to have been government orgs, NGOs, military, IT service providers, health care providers, and telecom providers—a pretty wide swath but one that in each instance has the potential to deliver high-value targets.
- The threat actors conducted the phishing campaign via this “special alert” email that showed up from a legit address tied to USAID. If the victim fell for the lure, which in at least one instance seems to have been that donald trump released new documents related to his false claims or election fraud, they would click on a link to learn more about the supposed news, and that would take them first to a legit domain run by Constant Contact, which is the email marketing firm where they gained account access—but from there it redirects to that theyardservice domain and begins the process of downloading and chaining the tooling they used to gain access to the victim network.
- Honestly it’s hard to say how big of a win this was for the DOJ, because on the one hand you always love to see these takedowns, and to know that some evil infrastructure has been taken offline. On the other hand, though, I did some digging around in Iris starting with those two domains, and I found a LOT of sketchy infrastructure with pretty strong ties to the two that were seized. As it goes with these things, it would take more analysis than I’ve had time to do to definitively prove the connections, but where there’s smoke there’s fire, so I think it’s safe to say that two domains don’t represent the totality of Nobelium’s holdings, in fact probably not even the full extent of this spear phishing campaign. If folks have seen traffic to those domains, even now when they are sort of inert, if I were them, I would definitely set up some alerts and do some retro-hunting on the domains that were not seized but which show strong connectivity to the ones that were, because any traffic to those assets is an indication that something bad is going on—and even if the badness is not Nobelium itself, the risk profiles of these other domains is so high that it’s very probable that they represent *some* sort of evil. Get out there and do your Iris-ing, folks!
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
You’ll have to tune in to find out!
This Week’s Hoodie/Goodie Scale
Japanese Multinational Conglomerate Suffers Exposure
[Chad]: 35 Millimeter/10 Hoodies
[Tim]: 5/10 Hoodies
The DOJ Has Phish to Fry
[Chad]: 5/10 Goodies
[Tim]: 5/10 Goodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!